unbound-cli 1.6.3 → 1.6.5

package/test/cli-flush.test.js

@@ -0,0 +1,101 @@
+const { test } = require('node:test');
+const assert = require('node:assert/strict');
+const { Command } = require('commander');
+
+// WEB-4941, root cause #2: telemetry.init() runs for every command at startup,
+// but flush()/Sentry.close() only happened inside wrapAction (setup/onboard/
+// discover). Every other command left Sentry's background timers holding the
+// event loop ~1min when a DSN was set. The fix wraps program.parseAsync in an
+// IIFE whose finally always calls telemetry.flush().
+//
+// These tests prove the two invariants that IIFE relies on:
+//  A) flush() is a no-op + idempotent when telemetry is disabled (no DSN), so
+//     the common path adds zero latency and a double-flush can't throw.
+//  B) the try/parseAsync/finally/flush pattern preserves the action's exit code.
+// No real Sentry, no network.
+
+function freshTelemetry() {
+  delete require.cache[require.resolve('../src/telemetry')];
+  return require('../src/telemetry');
+}
+
+function withEnv(vars, fn) {
+  const saved = {};
+  for (const k of Object.keys(vars)) {
+    saved[k] = process.env[k];
+    if (vars[k] === undefined) delete process.env[k];
+    else process.env[k] = vars[k];
+  }
+  try {
+    return fn();
+  } finally {
+    for (const k of Object.keys(vars)) {
+      if (saved[k] === undefined) delete process.env[k];
+      else process.env[k] = saved[k];
+    }
+  }
+}
+
+test('cli flush: telemetry.flush() is a no-op and idempotent when no DSN is set', async () => {
+  await withEnv({ UNBOUND_CLI_SENTRY_DSN: undefined, UNBOUND_TELEMETRY: undefined }, async () => {
+    const t = freshTelemetry();
+    // Both calls resolve without throwing — the no-op + idempotency the IIFE
+    // (and a possible double-flush with wrapAction) rely on.
+    await t.flush();
+    await t.flush();
+  });
+});
+
+test('cli flush: the entry pattern preserves a command-set exit code', async () => {
+  const savedExitCode = process.exitCode;
+  process.exitCode = 0;
+  try {
+    await withEnv({ UNBOUND_CLI_SENTRY_DSN: undefined }, async () => {
+      const t = freshTelemetry();
+      const p = new Command();
+      p.exitOverride();
+      p.command('x').action(async () => { process.exitCode = 7; });
+
+      // The exact shape index.js uses around program.parseAsync.
+      try {
+        await p.parseAsync(['node', 'cli', 'x']);
+      } finally {
+        await t.flush();
+      }
+
+      assert.equal(process.exitCode, 7, 'flush in finally must not clobber the command exit code');
+    });
+  } finally {
+    process.exitCode = savedExitCode;
+  }
+});
+
+test('cli flush: an action that throws past its own handler exits non-zero, not an unhandled crash', async () => {
+  const savedExitCode = process.exitCode;
+  process.exitCode = 0;
+  let caught = false;
+  try {
+    await withEnv({ UNBOUND_CLI_SENTRY_DSN: undefined }, async () => {
+      const t = freshTelemetry();
+      const p = new Command();
+      p.exitOverride();
+      p.command('boom').action(async () => { throw new Error('escaped'); });
+
+      // The exact try/catch/finally shape index.js uses — a rejection must be
+      // turned into a non-zero exit + flush, never an UnhandledPromiseRejection.
+      try {
+        await p.parseAsync(['node', 'cli', 'boom']);
+      } catch {
+        caught = true;
+        process.exitCode = process.exitCode || 1;
+      } finally {
+        await t.flush();
+      }
+
+      assert.equal(caught, true, 'the rejection must be caught, not left unhandled');
+      assert.equal(process.exitCode, 1, 'a thrown action must yield a non-zero exit code');
+    });
+  } finally {
+    process.exitCode = savedExitCode;
+  }
+});

package/test/download-pipe-hole.test.js

@@ -0,0 +1,221 @@
+const { test } = require('node:test');
+const assert = require('node:assert/strict');
+const { Command } = require('commander');
+
+// The old `curl -fsSL ... | bash -s --` / `| python3 -` pipe reported the
+// SHELL's exit code, not curl's, and dash has no pipefail — so a failed download
+// (GitHub down/404/empty) silently ran an empty script and exited 0 = fake
+// success. The fix is download-then-run with a non-200/empty-body check.
+//
+// These tests prove the hole is closed: a failed download now causes a NON-zero
+// exit / a rejection, never a silent success. No real network is used — the
+// download is stubbed to fail.
+
+// Stub utils.downloadToFile BEFORE requiring discover so the destructured
+// binding inside discover.js captures the stub, not the real https downloader.
+function freshDiscover(downloadStub) {
+  for (const m of ['../src/commands/discover', '../src/utils', '../src/config', '../src/output', '../src/telemetry']) {
+    delete require.cache[require.resolve(m)];
+  }
+  const utils = require('../src/utils');
+  if (downloadStub) utils.downloadToFile = downloadStub;
+  const config = require('../src/config');
+  const output = require('../src/output');
+  const discover = require('../src/commands/discover');
+  return { utils, config, output, discover };
+}
+
+test('discover: a failed script download makes runDiscoveryScan REJECT (no silent success)', async () => {
+  // Simulate GitHub returning a 404 / partial — downloadToFile rejects before
+  // bash ever runs, so the scan can't fake-succeed.
+  const { discover } = freshDiscover(async () => { throw new Error('Failed to download install.sh: HTTP 404'); });
+
+  await assert.rejects(
+    () => discover.runDiscoveryScan({ apiKey: 'disc-key', domain: 'https://b.acme' }),
+    /Failed to download/,
+  );
+});
+
+test('discover: an empty-body 200 download also rejects (empty script is not success)', async () => {
+  const { discover } = freshDiscover(async () => { throw new Error('Failed to download install.sh: empty response body'); });
+
+  await assert.rejects(
+    () => discover.runDiscoveryScan({ apiKey: 'disc-key' }),
+    /empty response body/,
+  );
+});
+
+test('discover command: a failed download sets process.exitCode = 1 (not a silent 0)', async () => {
+  const { output, discover } = freshDiscover(async () => { throw new Error('Failed to download install.sh: HTTP 500'); });
+  for (const k of ['info', 'success', 'error', 'warn']) output[k] = () => {};
+
+  const savedExit = process.exitCode;
+  process.exitCode = 0;
+  try {
+    const program = new Command();
+    program.exitOverride();
+    discover.register(program);
+    // Non-root user scope; the scan download fails → exitCode must become 1.
+    await program.parseAsync(['node', 'unbound', 'discover', '--api-key', 'disc-key']);
+    assert.equal(process.exitCode, 1, 'failed download must surface a non-zero exit code');
+  } finally {
+    process.exitCode = savedExit;
+  }
+});
+
+// The tests below exercise the SHIPPED utils.downloadToFile (no inline re-impl).
+// The production function defaults to https.get but accepts an injectable
+// `{ transport }` so we can drive it against a local http server without TLS —
+// this guarantees the real byte-count guard AND the security hardening are what's
+// under test.
+const http = require('http');
+const os = require('os');
+const path = require('path');
+const fs = require('fs');
+
+// One shared local server. Routes:
+//   /empty   200 with a zero-byte body   (pipe-hole: must reject)
+//   /ok      200 with a normal body      (must succeed, file mode 0600)
+//   /404     404                         (non-200: must reject)
+function startServer() {
+  const server = http.createServer((req, res) => {
+    if (req.url === '/empty') { res.writeHead(200); res.end(); }
+    else if (req.url === '/404') { res.writeHead(404); res.end('nope'); }
+    else { res.writeHead(200); res.end('echo hi\n'); }
+  });
+  return new Promise((resolve) => {
+    server.listen(0, '127.0.0.1', () => resolve({ server, port: server.address().port }));
+  });
+}
+
+// Fresh utils each time so a prior test's mutation can't leak in.
+function freshUtils() {
+  delete require.cache[require.resolve('../src/utils')];
+  return require('../src/utils');
+}
+
+// A unique path inside a private dir so each test starts from a clean slate.
+function freshTmp(suffix) {
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'dl-test-'));
+  return { dir, file: path.join(dir, `script${suffix}`) };
+}
+
+test('downloadToFile (shipped): rejects a 200 with an empty body (pipe hole stays closed)', async () => {
+  const utils = freshUtils();
+  const { server, port } = await startServer();
+  const { dir, file } = freshTmp('.sh');
+  try {
+    await assert.rejects(
+      () => utils.downloadToFile(`http://127.0.0.1:${port}/empty`, file, { transport: http }),
+      /empty response body/,
+    );
+    // The partial/empty file must not be left behind.
+    assert.equal(fs.existsSync(file), false, 'empty download must not leave a file');
+  } finally {
+    fs.rmSync(dir, { recursive: true, force: true });
+    server.close();
+  }
+});
+
+test('downloadToFile (shipped): rejects a non-200 (404)', async () => {
+  const utils = freshUtils();
+  const { server, port } = await startServer();
+  const { dir, file } = freshTmp('.sh');
+  try {
+    await assert.rejects(
+      () => utils.downloadToFile(`http://127.0.0.1:${port}/404`, file, { transport: http }),
+      /HTTP 404/,
+    );
+  } finally {
+    fs.rmSync(dir, { recursive: true, force: true });
+    server.close();
+  }
+});
+
+test('downloadToFile (shipped): writes the file with owner-only mode 0600', async () => {
+  const utils = freshUtils();
+  const { server, port } = await startServer();
+  const { dir, file } = freshTmp('.sh');
+  try {
+    await utils.downloadToFile(`http://127.0.0.1:${port}/ok`, file, { transport: http });
+    assert.equal(fs.readFileSync(file, 'utf8'), 'echo hi\n');
+    const mode = fs.statSync(file).mode & 0o777;
+    assert.equal(mode, 0o600, `expected 0600, got 0${mode.toString(8)}`);
+  } finally {
+    fs.rmSync(dir, { recursive: true, force: true });
+    server.close();
+  }
+});
+
+test('downloadToFile (shipped): a pre-existing file at the target FAILS (EEXIST, no overwrite)', async () => {
+  const utils = freshUtils();
+  const { server, port } = await startServer();
+  const { dir, file } = freshTmp('.sh');
+  try {
+    // Attacker pre-creates the predictable path with their own payload.
+    fs.writeFileSync(file, 'malicious-preexisting\n');
+    await assert.rejects(
+      () => utils.downloadToFile(`http://127.0.0.1:${port}/ok`, file, { transport: http }),
+      (err) => err.code === 'EEXIST',
+      'an existing target must yield EEXIST, never be overwritten',
+    );
+    // The attacker's content must be untouched (we did not follow/overwrite it).
+    assert.equal(fs.readFileSync(file, 'utf8'), 'malicious-preexisting\n');
+  } finally {
+    fs.rmSync(dir, { recursive: true, force: true });
+    server.close();
+  }
+});
+
+test('downloadToFile (shipped): a symlink at the target FAILS (ELOOP/EEXIST, not followed)', async () => {
+  const utils = freshUtils();
+  const { server, port } = await startServer();
+  const { dir, file } = freshTmp('.sh');
+  // The symlink points at a victim file the attacker wants us to clobber.
+  const victim = path.join(dir, 'victim.txt');
+  fs.writeFileSync(victim, 'do-not-touch\n');
+  fs.symlinkSync(victim, file);
+  try {
+    await assert.rejects(
+      () => utils.downloadToFile(`http://127.0.0.1:${port}/ok`, file, { transport: http }),
+      (err) => err.code === 'ELOOP' || err.code === 'EEXIST',
+      'a symlink at the target must not be followed',
+    );
+    // The victim behind the symlink must be untouched.
+    assert.equal(fs.readFileSync(victim, 'utf8'), 'do-not-touch\n');
+  } finally {
+    fs.rmSync(dir, { recursive: true, force: true });
+    server.close();
+  }
+});
+
+test('downloadToFile (shipped): a normal download succeeds and stores the body', async () => {
+  const utils = freshUtils();
+  const { server, port } = await startServer();
+  const { dir, file } = freshTmp('.sh');
+  try {
+    await assert.doesNotReject(
+      () => utils.downloadToFile(`http://127.0.0.1:${port}/ok`, file, { transport: http }),
+    );
+    assert.equal(fs.readFileSync(file, 'utf8'), 'echo hi\n');
+  } finally {
+    fs.rmSync(dir, { recursive: true, force: true });
+    server.close();
+  }
+});
+
+test('withSecureTempFile (shipped): creates a 0700 private dir and removes it after', async () => {
+  const utils = freshUtils();
+  let seenPath = null;
+  let seenDirMode = null;
+  await utils.withSecureTempFile('.py', async (p) => {
+    seenPath = p;
+    seenDirMode = fs.statSync(path.dirname(p)).mode & 0o777;
+    fs.writeFileSync(p, 'x'); // simulate a download into it
+  });
+  assert.equal(seenDirMode, 0o700, `expected dir mode 0700, got 0${(seenDirMode || 0).toString(8)}`);
+  assert.ok(seenPath.endsWith('.py'));
+  // The whole private dir (and the file inside it) must be gone afterward.
+  assert.equal(fs.existsSync(seenPath), false, 'temp file must be cleaned up');
+  assert.equal(fs.existsSync(path.dirname(seenPath)), false, 'temp dir must be cleaned up');
+});

package/test/onboard-failure-exit.test.js

@@ -0,0 +1,125 @@
+const { test } = require('node:test');
+const assert = require('node:assert/strict');
+const { Command } = require('commander');
+
+// Onboarding-failure observability, client side:
+//  - a failed setup must set process.exitCode = 1 (no fake success), and
+//  - the best-effort failure report must never change that exit code or mask the
+//    real error, even when the report POST itself fails (offline/429).
+//
+// All downstream deps are stubbed; no network, no setup scripts, no Sentry.
+
+function loadOnboard({ isRoot, setupOk, reportThrows }) {
+  for (const m of [
+    '../src/commands/onboard', '../src/commands/setup', '../src/commands/discover',
+    '../src/auth', '../src/config', '../src/output', '../src/scheduled',
+    '../src/setup-report', '../src/telemetry',
+  ]) {
+    delete require.cache[require.resolve(m)];
+  }
+
+  const calls = { setup: 0, discovery: 0, report: 0 };
+  const setup = require('../src/commands/setup');
+  const discover = require('../src/commands/discover');
+  const auth = require('../src/auth');
+  const config = require('../src/config');
+  const output = require('../src/output');
+  const setupReport = require('../src/setup-report');
+
+  setup.hasRootPrivileges = () => isRoot;
+  // Mirror runBatch's real behavior: on failure it sets exitCode and (best-effort)
+  // reports, then returns { ok: false }. We model both the report call and the
+  // exitCode side effect so the test exercises onboard's own handling.
+  const bundle = async () => {
+    calls.setup++;
+    if (!setupOk) {
+      process.exitCode = 1;
+      calls.report++;
+      await setupReport.reportSetupFailure({ step: 'cursor', exitCode: 2 });
+      return { ok: false, skipped: [] };
+    }
+    return { ok: true, skipped: [] };
+  };
+  setup.runSetupAllBundle = bundle;
+  setup.runMdmSetupAllBundle = bundle;
+  discover.runDiscoveryScan = async () => { calls.discovery++; };
+  auth.ensureLoggedIn = async () => {};
+  config.setUrls = () => ({});
+  config.getApiKey = () => 'resolved-key';
+  config.getBaseUrl = () => 'https://b.acme';
+  config.getFrontendUrl = () => 'https://f.acme';
+  config.getGatewayUrl = () => 'https://g.acme';
+  config.isLoggedIn = () => true;
+  for (const k of ['info', 'success', 'error', 'warn']) output[k] = () => {};
+
+  // The failure-report POST fails (offline/429) — must be swallowed.
+  const api = require('../src/api');
+  api.post = async () => {
+    if (reportThrows) throw new Error('offline / ECONNREFUSED');
+    return {};
+  };
+
+  return { calls };
+}
+
+async function runOnboard(env) {
+  const { calls } = env;
+  const { register } = require('../src/commands/onboard');
+  const program = new Command();
+  program.exitOverride();
+  register(program);
+  await program.parseAsync(['node', 'unbound', 'onboard', '--api-key', 'k', '--discovery-key', 'd']);
+  return calls;
+}
+
+test('onboard: a failed setup sets process.exitCode = 1 and does NOT run discovery', async () => {
+  const saved = process.exitCode;
+  process.exitCode = 0;
+  try {
+    const env = loadOnboard({ isRoot: false, setupOk: false, reportThrows: false });
+    const calls = await runOnboard(env);
+    assert.equal(process.exitCode, 1, 'failed setup must exit non-zero');
+    assert.equal(calls.setup, 1, 'setup bundle ran');
+    assert.equal(calls.discovery, 0, 'discovery must not run after a failed setup');
+  } finally {
+    process.exitCode = saved;
+  }
+});
+
+test('onboard (sudo/MDM): a failed MDM setup also sets process.exitCode = 1', async () => {
+  const saved = process.exitCode;
+  process.exitCode = 0;
+  try {
+    const env = loadOnboard({ isRoot: true, setupOk: false, reportThrows: false });
+    await runOnboard(env);
+    assert.equal(process.exitCode, 1, 'failed MDM setup must exit non-zero');
+  } finally {
+    process.exitCode = saved;
+  }
+});
+
+test('onboard: a failing failure-report POST is swallowed — exit code stays 1, not masked', async () => {
+  const saved = process.exitCode;
+  process.exitCode = 0;
+  try {
+    const env = loadOnboard({ isRoot: false, setupOk: false, reportThrows: true });
+    const calls = await runOnboard(env);
+    assert.equal(calls.report, 1, 'a failure report was attempted');
+    assert.equal(process.exitCode, 1, 'a failing telemetry POST must not change the exit code');
+  } finally {
+    process.exitCode = saved;
+  }
+});
+
+test('onboard: a successful setup proceeds to discovery and exits 0', async () => {
+  const saved = process.exitCode;
+  process.exitCode = 0;
+  try {
+    const env = loadOnboard({ isRoot: false, setupOk: true, reportThrows: false });
+    const calls = await runOnboard(env);
+    assert.equal(calls.discovery, 1, 'discovery runs after a successful setup');
+    assert.equal(process.exitCode, 0, 'a clean onboard keeps exit code 0');
+  } finally {
+    process.exitCode = saved;
+  }
+});

package/test/setup-args.test.js

@@ -3,7 +3,7 @@ const assert = require('node:assert/strict');
 const fs = require('fs');
 const os = require('os');
 const path = require('path');
-const { buildScriptArgs, scriptSupportsBackfill, resolveSetupAllTools, clearUnboundEnvsEverywhere, NUKE_ENV_VARS } = require('../src/commands/setup');
+const { buildScriptArgs, scriptSupportsBackfill, resolveSetupAllTools, clearUnboundEnvsEverywhere, NUKE_ENV_VARS, removeBinaryInstall, BINARY_INSTALL_PATHS } = require('../src/commands/setup');
 
 // shellEscape single-quotes every value, so a real key surfaces as
 // --api-key '<key>' at the head of the argv tail.
@@ -219,3 +219,180 @@ if (process.platform !== 'win32') {
     }
   });
 }
+
+// All assertions below route through path overrides into a tmp dir and force
+// runLaunchctl:false — the real /opt/unbound + /Library/LaunchDaemons/... are
+// never touched (the dev host has a real binary install).
+function makeFakeBinaryInstall() {
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'unbound-bin-'));
+  const optDir = path.join(tmp, 'opt', 'unbound');
+  const versionDir = path.join(optDir, '0.1.5');
+  fs.mkdirSync(path.join(versionDir, 'unbound-hook'), { recursive: true });
+  fs.mkdirSync(path.join(versionDir, 'unbound-discovery'), { recursive: true });
+  fs.writeFileSync(path.join(versionDir, 'unbound-hook', 'unbound-hook'), '#!fake binary\n');
+  fs.writeFileSync(path.join(versionDir, 'unbound-discovery', 'unbound-discovery'), '#!fake binary\n');
+  fs.mkdirSync(path.join(optDir, 'etc'), { recursive: true });
+  fs.writeFileSync(path.join(optDir, 'etc', 'discovery.json'), '{}');
+  fs.symlinkSync(versionDir, path.join(optDir, 'current'));
+  const daemonPlist = path.join(tmp, 'Library', 'LaunchDaemons', 'ai.getunbound.discovery.plist');
+  fs.mkdirSync(path.dirname(daemonPlist), { recursive: true });
+  fs.writeFileSync(daemonPlist, '<plist/>');
+  const newsyslogConf = path.join(tmp, 'etc', 'newsyslog.d', 'ai.getunbound.conf');
+  fs.mkdirSync(path.dirname(newsyslogConf), { recursive: true });
+  fs.writeFileSync(newsyslogConf, '# rotate\n');
+  const logDir = path.join(tmp, 'var', 'log', 'unbound');
+  fs.mkdirSync(logDir, { recursive: true });
+  fs.writeFileSync(path.join(logDir, 'discovery.log'), 'old logs\n');
+  return { tmp, optDir, daemonPlist, newsyslogConf, logDir };
+}
+
+test('removeBinaryInstall: full install layout — wipes plist + newsyslog + logs + /opt/unbound', () => {
+  const fx = makeFakeBinaryInstall();
+  try {
+    const { removed, failed } = removeBinaryInstall({
+      optDir: fx.optDir,
+      daemonPlist: fx.daemonPlist,
+      newsyslogConf: fx.newsyslogConf,
+      logDir: fx.logDir,
+      runLaunchctl: false,
+    });
+    assert.equal(removed.length, 4, `expected 4 removed, got ${JSON.stringify(removed)}`);
+    assert.deepEqual(failed, [], `unexpected failures: ${JSON.stringify(failed)}`);
+    assert.ok(!fs.existsSync(fx.optDir), 'optDir survived');
+    assert.ok(!fs.existsSync(fx.daemonPlist), 'plist survived');
+    assert.ok(!fs.existsSync(fx.newsyslogConf), 'newsyslog survived');
+    assert.ok(!fs.existsSync(fx.logDir), 'logDir survived');
+    // Each label appears in the summary so `unbound nuke` output names what went.
+    for (const label of ['LaunchDaemon plist', 'newsyslog conf', 'log dir', 'install tree']) {
+      assert.ok(removed.some(s => s.startsWith(label)), `summary missing ${label}: ${removed.join('; ')}`);
+    }
+  } finally {
+    fs.rmSync(fx.tmp, { recursive: true, force: true });
+  }
+});
+
+test('removeBinaryInstall: nothing present (python-only install) — returns empty lists silently', () => {
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'unbound-bin-empty-'));
+  try {
+    const { removed, failed } = removeBinaryInstall({
+      optDir: path.join(tmp, 'opt', 'unbound'),
+      daemonPlist: path.join(tmp, 'Library', 'LaunchDaemons', 'ai.getunbound.discovery.plist'),
+      newsyslogConf: path.join(tmp, 'etc', 'newsyslog.d', 'ai.getunbound.conf'),
+      logDir: path.join(tmp, 'var', 'log', 'unbound'),
+      runLaunchctl: false,
+    });
+    assert.deepEqual(removed, []);
+    assert.deepEqual(failed, []);
+  } finally {
+    fs.rmSync(tmp, { recursive: true, force: true });
+  }
+});
+
+test('removeBinaryInstall: partial install (only /opt/unbound, no daemon/log) — removes what exists', () => {
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'unbound-bin-partial-'));
+  const optDir = path.join(tmp, 'opt', 'unbound');
+  fs.mkdirSync(optDir, { recursive: true });
+  fs.writeFileSync(path.join(optDir, 'marker'), 'x');
+  try {
+    const { removed, failed } = removeBinaryInstall({
+      optDir,
+      daemonPlist: path.join(tmp, 'Library', 'LaunchDaemons', 'ai.getunbound.discovery.plist'),
+      newsyslogConf: path.join(tmp, 'etc', 'newsyslog.d', 'ai.getunbound.conf'),
+      logDir: path.join(tmp, 'var', 'log', 'unbound'),
+      runLaunchctl: false,
+    });
+    assert.equal(removed.length, 1);
+    assert.ok(removed[0].startsWith('install tree'), removed[0]);
+    assert.deepEqual(failed, []);
+    assert.ok(!fs.existsSync(optDir));
+  } finally {
+    fs.rmSync(tmp, { recursive: true, force: true });
+  }
+});
+
+// Bugbot: when a removal step fails (e.g. plist locked by launchd), it must
+// land in the returned `failed` list AND not appear in `removed`, so the
+// outer nuke summary surfaces a partial wipe instead of printing "success".
+test('removeBinaryInstall: rm failure surfaces in `failed`, not `removed`', () => {
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'unbound-bin-rmfail-'));
+  // Pass an existsSync-true path that fs.rmSync can't remove. The simplest
+  // way to force rmSync to throw is to point optDir at a regular file owned
+  // by another process — but cross-platform that's flaky. Instead, monkey-
+  // patch fs.rmSync just for this call to simulate the real-world EBUSY.
+  const optDir = path.join(tmp, 'opt', 'unbound');
+  fs.mkdirSync(optDir, { recursive: true });
+  const realRmSync = fs.rmSync;
+  fs.rmSync = (p, opts) => {
+    if (p === optDir) throw new Error('EBUSY: resource busy or locked');
+    return realRmSync(p, opts);
+  };
+  try {
+    const { removed, failed } = removeBinaryInstall({
+      optDir,
+      daemonPlist: path.join(tmp, 'plist'),
+      newsyslogConf: path.join(tmp, 'newsyslog'),
+      logDir: path.join(tmp, 'log'),
+      runLaunchctl: false,
+    });
+    assert.deepEqual(removed, [], 'install tree must not be in removed when rmSync threw');
+    assert.equal(failed.length, 1, `expected 1 failure, got ${JSON.stringify(failed)}`);
+    assert.ok(failed[0].startsWith('install tree'), failed[0]);
+  } finally {
+    fs.rmSync = realRmSync;
+    realRmSync(tmp, { recursive: true, force: true });
+  }
+});
+
+// Guards against accidental drift of the hard-coded paths.
+test('BINARY_INSTALL_PATHS: defaults match setup/packaging/pkg/postinstall layout', () => {
+  assert.equal(BINARY_INSTALL_PATHS.optDir, '/opt/unbound');
+  assert.equal(BINARY_INSTALL_PATHS.daemonPlist, '/Library/LaunchDaemons/ai.getunbound.discovery.plist');
+  assert.equal(BINARY_INSTALL_PATHS.daemonLabel, 'ai.getunbound.discovery');
+  assert.equal(BINARY_INSTALL_PATHS.newsyslogConf, '/etc/newsyslog.d/ai.getunbound.conf');
+  assert.equal(BINARY_INSTALL_PATHS.logDir, '/var/log/unbound');
+});
+
+// Safety net: dev machines often have a real /opt/unbound install. Calling
+// removeBinaryInstall with ANY production-default path requires the explicit
+// `_confirmProductionPaths:true` ack, so a no-override test (or refactor
+// drift) fails loudly instead of wiping the dev's real install. This works
+// regardless of NODE_ENV — production sets the ack, tests don't.
+test('removeBinaryInstall: refuses production-default paths without _confirmProductionPaths', () => {
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'unbound-bin-guard-'));
+  try {
+    assert.throws(() => removeBinaryInstall(),
+      /_confirmProductionPaths/, 'no-arg call must throw');
+    // Partial override (logDir left at production) must throw.
+    assert.throws(() => removeBinaryInstall({
+      optDir: path.join(tmp, 'opt', 'unbound'),
+      daemonPlist: path.join(tmp, 'plist'),
+      newsyslogConf: path.join(tmp, 'newsyslog'),
+      runLaunchctl: false,
+    }), /_confirmProductionPaths/, 'partial override leaving logDir defaulted must throw');
+    // Greptile P2: daemonLabel must be checked when runLaunchctl is true.
+    // All four paths overridden, but default daemonLabel + runLaunchctl:true
+    // → would call `launchctl bootout system/ai.getunbound.discovery` on the
+    // real host. Must throw.
+    assert.throws(() => removeBinaryInstall({
+      optDir: path.join(tmp, 'opt', 'unbound'),
+      daemonPlist: path.join(tmp, 'plist'),
+      newsyslogConf: path.join(tmp, 'newsyslog'),
+      logDir: path.join(tmp, 'log'),
+      runLaunchctl: true,
+    }), /_confirmProductionPaths/, 'default daemonLabel with runLaunchctl:true must throw');
+    // Full override with runLaunchctl:false does NOT throw (no prod surface).
+    assert.doesNotThrow(() => removeBinaryInstall({
+      optDir: path.join(tmp, 'opt', 'unbound'),
+      daemonPlist: path.join(tmp, 'plist'),
+      newsyslogConf: path.join(tmp, 'newsyslog'),
+      logDir: path.join(tmp, 'log'),
+      runLaunchctl: false,
+    }));
+  } finally {
+    fs.rmSync(tmp, { recursive: true, force: true });
+  }
+});
+
+test('BINARY_INSTALL_PATHS: is frozen', () => {
+  assert.ok(Object.isFrozen(BINARY_INSTALL_PATHS));
+});